question about Service Provider Cert

Paul Hethmon paul.hethmon at
Mon Feb 11 16:04:15 EST 2013


Are you referring to the public/private key used by Shibboleth SP to sign authentication requests? Or are you referring to an SSL certificate used to provide confidentiality to your web server? If the later, then Shibboleth does not care. The transport layer security is before Shib gets involved. You can secure it as you would any SSL protected site.

If the former, you'll need to create your private key, then a certificate signing request, and then have a commercial CA sign it. Then you will have the private key and signed public key to use in your Shibboleth configuration. Note that Shibboleth does not care about SAML signing keys being "signed" by a commercial CA. Also note it adds no additional trust or security to do so. Trust is established by you furnishing your public key to the IdP by an out of band process and them trusting it was you that furnished it. Having a commercial CA sign that key adds no value. It does however cause you to keep up with its expiration date year in and year out.


From: Carl Buxbaum <cbuxbaum at<mailto:cbuxbaum at>>
Reply-To: Shibboleth Users <users at<mailto:users at>>
Date: Monday, February 11, 2013 3:31 PM
To: Shibboleth Users <users at<mailto:users at>>
Subject: question about Service Provider Cert


I am trying to get a handle on the certificate installation for a Service Provider implementation.  I successfully developed and tested a SP  IDP initiated SSO implementation using a self signed certificate against the Shibboleth IDP, but the customer requires a CA issued cert.  According to the documentation of the CA, they talk about generating a cert request, and then importing the entire certificate chain into my SP keystore.  Since I already have the private key in my keystore, do I really need to import anything else after running keytool –genkey? Do I need to import the resulting cert into the IDP?  And the rest of the cert chain? Or do I just take the resulting cert and place it in the metadata for the Identity Provider?  The Identity Provider they are using is PingFederate.

Thanks for the help.

Carl  Buxbaum
Software Architect
TradeStone Software
17 Rogers St. Suite 2; Gloucester, MA 01930
P: 978-515-5128 F : 978-281-0673<>

E-mails and attachments from TradeStone Software, Inc. are confidential.
If you are not the intended recipient, please notify the sender immediately by
replying to the e-mail, and then delete it without making copies or using it
in any way. No representation is made that this email or any attachments are
free of viruses. Virus scanning is recommended and is the responsibility of
the recipient.
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list